Solution Components
Rubrik CDM is deployed as a purpose built appliance so no separate software installation is necessary. The deployment process for protecting VMware Cloud on AWS workloads consists of launching a cluster of M5.4xlarge EC2 instances, known as a Cloud Cluster, from the AWS Marketplace into the VPC attached to the protected SDDC. These instances can be deployed directly from the AWS Marketplace, via the Amazon EC2 console, or by utilizing an AWS CloudFormation template provided by Rubrik. Once these instances are deployed and the cluster is initialized, the customer simply adds their SDDC to Rubrik CDM, then begins creating and assigning SLA Domain Policies as required via Rubrik’s management user interface.
Rubrik clusters use the vSphere Storage APIs – Data Protection (VADP) and the Virtual Disk Development Kit (VDDK) to integrate with vSphere to deliver highly efficient virtual machine image level data protection and recovery. When protecting VMware Cloud on AWS workloads, Rubrik CDM leverages the hotadd transport mode for data transmission to and from the Rubrik CDM cluster. The proxies required to support this transport mode are automatically provisioned, monitored, scaled, and deprovisioned by Rubrik CDM. The customer needs only to provide the network segment(s) in which they will run when adding the SDDC. In addition to protecting your virtual environment, Rubrik can also protect file shares, databases, and public cloud workloads.
For more information on product deployment, interoperability, or compatibility with VMware products, see https://support.rubrik.com.
Operational Overview
The following activities are typical for an enterprise customer deploying Rubrik CDM to protect VMware Cloud on AWS workloads.
VMware Cloud on AWS Network configuration
Below is a recommended list of rules for use in the AWS Security Group applied to the Rubrik Cloud Cluster running in the connected AWS VPC:
Suggested Cloud Cluster Security Group Rules | |||
Direction | Source / Destination | Service | Purpose |
Inbound | <SG ID of this SG> | All | Intra-cluster communication |
Inbound | Management SG or CIDR | TCP 22 | Cluster Admin CLI |
Inbound | Management SG or CIDR | TCP 443 | Cluster Admin UI |
Outbound | HotAdd Proxy CIDR | TCP 58000 | Proxy Control |
Outbound | vCenter IP | TCP 7444 | vCenter SSO |
Outbound | vCenter IP | TCP 443 | vCenter API |
Outbound | ESXi CIDR | TCP 443 | vSphere API |
Outbound | Protected vSphere VM CIDR | TCP 12800-12801 | Rubrik Backup Service |
Additionally, consider whitelisting TCP 443 outbound globally in order to facilitate log bundle collection, support tunnel access, CloudOut, etc. If specific IP ranges are required, please contact Rubrik support.
Similarly, the AWS Compute and Management gateway firewalls will need to be configured to allow the following traffic flows. The distributed firewall should also be configured to allow this traffic flows, as should any 3rd party network devices in the data path.
Suggested Compute Gateway Rules | ||||
Source | Destination | Service | Applied To | Purpose |
Connected VPC | Proxy Network Segment | TCP 58000 | VPC Interface | Proxy Control |
Connected VPC | Protected VM Segment(s) | TCP 12800-12801 | VPC Interface | RBS File Restore |
Suggested Management Gateway Rules | |||
Source | Destination | Services | Purpose |
Connected VPC | vCenter | TCP 7444 | vCenter SSO |
Connected VPC | vCenter | TCP 443 | vCenter API |
Connected VPC | ESXi | TCP 443 | vSphere API |
Proxy Network Segment | vCenter | TCP 7444 | vCenter SSO |
Proxy Network Segment | vCenter | TCP 443 | vCenter API |
Proxy Network Segment | ESXi | TCP 902 | vSphere API |
The diagram below depicts a typical deployment scenario where a customer is protecting their SDDC utilizing a Rubrik Cloud Cluster in the attached AWS VPC.
Initial Setup and Configuration
Once the Cloud Cluster has been deployed, and bootstrapped, it is ready to use. The customer simply adds their SDDC as a vCenter Server within Rubrik CDM using an account assigned the built-in cloudadmin role. Rubrik will detect the SDDC, prompt the user for credentials, and then prompt the user to select a network segment for proxy deployment as well as their preference for DHCP or static proxy IP assignment. Once complete, Rubrik will automatically begin deploying hotadd proxies as required to the SDDC’s vSphere cluster(s) and will iterate the discovered VMs and other assets into the Rubrik console, ready for protection. You can begin interacting with the newly discovered VMs by using the No SLA link on the main dashboard.
SLA Domain Policies
Rubrik’s SLA Domains simplify data protection by abstracting the desired RPO, RTO, Availability, and Replication requirements into a declarative policy. Rubrik provides Gold, Silver, and Bronze default SLA Domains that are ready for immediate use.
For example, an enterprise could choose to protect mission-critical workloads with the data backup, retention, replication, and archival policies specified in the Gold SLA Domain and protect web servers through the policies defined in the Bronze SLA Domain.
Custom SLA Domains can be quickly and easily created. Create custom SLA Domains to apply to groups of virtual machines. Use the custom SLA Domains to meet the data protection and retention requirements of different groups of virtual machines and applications.
Workload Protection
To protect a workload, select any vSphere object such as a folder, cluster, data center, or individual virtual machines running in the SDDC that you would like to protect. Click Manage Protection. From there, a list of available SLA Domains will be presented.
In the following example, the horizon-sql-01 virtual machine is assigned the Horizon Infrastructure SLA Domain.
File Search and Recovery
The Rubrik cluster provides file-level restore (FLR) of files and folders from any local snapshot, replica, or archival snapshot that was successfully indexed. The guest OS of the source virtual machine must have a current version of VMware Tools running to enable successful indexing. Restore a file from a data protection object through the Rubrik cluster web UI. Browse the virtual machine file system on the data protection object and select the file.
The Rubrik cluster processes the request and provides a link for download of the file or allows for an in-place restoration to the original workload.
Export
For image-level recovery of VMware Cloud on AWS VMs, Rubrik offers the Export operation. When exporting a snapshot, the user selects the cluster or host and datastore they wish to recover to. Customers can also choose to remove NICs, preserve the MAC, and include or exclude tags when exporting a snapshot.
Features of the Backup Solution
Questions | Choose from the list (all that apply) Provide free text when there is no list |
What backup repositories are supported? | AWS S3, AWS EC2, AWS cross-region, on-premises object or NAS, Azure Blob, Google Cloud Storage, S3 Compliant Object |
How is backup data transmitted to the repository? | ENI |
Describe the implementation of the Datamover component | Multi Proxy |
Datamover Scale | One per SDDC to Multiple per cluster |
In large SDDCs (>500 VMs, >nTBs), your solution may scale data movers. How do you scale? |
Data mover scale is determined but the number of VMs and SLA domain policy |
How are additional data movers provisioned? | Automatic |
Describe additional functionalities of image-based backups | File-based recovery App consistency via VSS App consistency via pre/postscript |
Describe if in-guest backup options are available | API |
Describe security features | Encryption at rest Encryption in transit Immutable Filesystem |
Describe network bandwidth/utilization control features | Configurable bandwidth |
Describe the design of deduplication/compression features | Source Side (VMC) |
Describe added-value services/features not listed above | Ransomware detection and rollback via Polaris Radar Data classification via Polaris Sonar |
Hybrid centralized management: Describe how on-premises and VMC backups can be managed. Do you support single management console? |
Unified management for VMC, on-prem vSphere, databases, filesystems, and public cloud workloads via Rubrik’s Polaris platform |
Hybrid restore/migration mode: Describe how a VM can be restored from on-premises backup to VMC or from VMC to on-premises |
|
For example, let’s say that you have a hybrid configuration. On-premise with local backup, in VMC with cloud backup. What happens if an on-premise VM is migrated to VMC? Will the backup solution automatically update the location of the repository or will the VM still be backed up on premise? | Yes. vSphere VMs can be protected, replicated, and restored between Rubrik clusters protecting VMware Cloud on AWS SDDCs and those protecting traditional VMware environments. Upon restoration to the target site, Rubrik will automatically discover the newly protected VM and apply the appropriate policy locally. |
Solution Architecture
Depending on the scale of the Dimension environment and the infrastructure available at the Dimension site, either a Rubrik appliance, a virtual Rubrik cluster, or a Rubrik edge can be deployed.
For small Dimension environments, where no additional infrastructure is expected at the ROBO site, a virtual Rubrik edge is deployed in the Dimension environment. Rubrik Edge cannot be deployed as a standalone product and must be configured to replicate to a Rubrik cluster or archive to a replication location or both.
For larger Dimension environments, where additional infrastructure is expected at the datacenter, a Rubrik appliance is deployed in the data center. It has to be configured to protect Dimension similar to the configuration to protect VMC on AWS.
For more information on product deployment, interoperability, or compatibility with VMware products, see https://support.rubrik.com.
Support Information
Troubleshooting (logs, procedures, and techniques)
Support Process
Support SLAs
For more information on Rubrik Cloud Data Management, see https://www.rubrik.com/product/overview/